Cyber crooks take advantage of ad bidding networks to deliver ransomware

Malware peddlers are taking advantage of real time advertising bidding networks to deliver ransomware to unsuspecting users, FireEye researchers are warning.

“Real Time Bidding is an ad sale and delivery system that allows for instant, autonomous ad auctions at the time the ads are served,” they explained.

“A number of buyers set up bids ahead of time for a certain amount of ad impressions (i.e., page loads) on pre-selected sites and certain target demographic characteristics. When a user requests an ad, the Ad Exchange awards the highest bidder who has an active bid on advertising matching the incoming user’s demographic profile. As a result, the auction winner’s ad is displayed. This all occurs in real-time, as each ad is requested from the ad servers.”

The ad servers in question are either legitimate and compromised, or rogue ad servers controlled by attackers.

When a user clicks on the malicious ad, information about the visitor geographic location, OS and browser and so on is sent back to the ad exchange. The returned HTML page loads SWF files and additional scripts.

One of these SWF files is specially crafted to exploit an Adobe Flash vulnerability (CVE-2014-0569) that has been patched last October.

Once it does its job, a Cryptowall variant or other malware is offloaded to the user’s system. What’s interesting to note is not all payloads are malicious – some of them deliver seemingly benigns Windows operating system files.

The researchers believe that this malvertising campaign has been going on since February 4, 2015, and is still going on.